# bash completion for openssl                              -*- shell-script -*-

_openssl_sections()
{
    local config f

    # check if a specific configuration file is used
    for ((i = 2; i < cword; i++)); do
        if [[ ${words[i]} == -config ]]; then
            config=${words[i + 1]}
            break
        fi
    done

    # if no config given, check some usual default locations
    if [[ -z $config ]]; then
        for f in /etc/ssl/openssl.cnf /etc/pki/tls/openssl.cnf \
            /usr/share/ssl/openssl.cnf; do
            [[ -f $f ]] && config=$f && break
        done
    fi

    [[ ! -f $config ]] && return

    COMPREPLY=($(compgen -W "$(awk '/\[.*\]/ {print $2}' $config)" -- "$cur"))
}

_openssl_digests()
{
    "$1" dgst -h 2>&1 |
        awk '/^-.*[ \t]to use the .* message digest algorithm/ { print $1 }'
    local -a digests=($("$1" help 2>&1 |
        command sed -ne '/^Message Digest commands/,/^[[:space:]]*$/p' |
        command sed -e 1d))
    printf "%s\n" "${digests[@]/#/-}"
}

_openssl()
{
    local cur prev words cword
    _init_completion || return

    local commands command options formats

    commands='asn1parse ca ciphers crl crl2pkcs7 dgst dh dhparam dsa dsaparam
        ec ecparam enc engine errstr gendh gendsa genrsa nseq ocsp passwd
        pkcs12 pkcs7 pkcs8 prime rand req rsa rsautl s_client s_server s_time
        sess_id smime speed spkac verify version x509 md2 md4 md5 rmd160 sha
        sha1 aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc
        aes-256-ecb base64 bf bf-cbc bf-cfb bf-ecb bf-ofb camellia-128-cbc
        camellia-128-ecb camellia-192-cbc camellia-192-ecb camellia-256-cbc
        camellia-256-ecb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb
        des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb
        des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx rc2
        rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40
        sha224 sha256 sha384 sha512 genpkey pkey pkeyparam pkeyutl'

    if ((cword == 1)); then
        COMPREPLY=($(compgen -W "$commands" -- "$cur"))
    else
        command=${words[1]}
        case $prev in
            -CA | -CAfile | -CAkey | -CAserial | -cert | -certfile | -config | -content | \
                -dcert | -dkey | -dhparam | -extfile | -in | -inkey | -kfile | -key | -keyout | \
                -out | -oid | -paramfile | -peerkey | -prvrify | -rand | -recip | -revoke | \
                -sess_in | -sess_out | -spkac | -sigfile | -sign | -signkey | -signer | \
                -signature | -ss_cert | -untrusted | -verify | -writerand)
                _filedir
                return
                ;;
            -outdir | -CApath)
                _filedir -d
                return
                ;;
            -name | -crlexts | -extensions)
                _openssl_sections
                return
                ;;
            -inform | -outform | -keyform | -certform | -CAform | -CAkeyform | -dkeyform | \
                -dcertform | -peerform)
                formats='DER PEM'
                case $command in
                    x509)
                        formats+=" NET"
                        ;;
                    smime)
                        formats+=" SMIME"
                        ;;
                    pkeyutl)
                        formats+=" ENGINE"
                        ;;
                esac
                COMPREPLY=($(compgen -W "$formats" -- "$cur"))
                return
                ;;
            -connect)
                _known_hosts_real -- "$cur"
                return
                ;;
            -starttls)
                COMPREPLY=($(compgen -W '
                    smtp pop3 imap ftp xmpp xmpp-server telnet irc mysql
                    postgres lmtp nntp sieve ldap
                    ' -- "$cur"))
                return
                ;;
            -cipher)
                COMPREPLY=($(IFS=: compgen -W "$($1 ciphers)" -- "$cur"))
                return
                ;;
            -kdf)
                COMPREPLY=($(compgen -W 'TLS1-PRF HKDF' -- "$cur"))
                return
                ;;
        esac

        if [[ $cur == -* ]]; then
            # possible options for the command
            options=$(_parse_help "$1" "$command -help" 2>/dev/null)
            case $command in
                dgst | req | x509) options+=" $(_openssl_digests $1)" ;;
            esac
            COMPREPLY=($(compgen -W "$options" -- "$cur"))
        else
            if [[ $command == speed ]]; then
                COMPREPLY=($(compgen -W 'md2 mdc2 md5 hmac sha1 rmd160
                    idea-cbc rc2-cbc rc5-cbc bf-cbc des-cbc des-ede3 rc4
                    rsa512 rsa1024 rsa2048 rsa4096 dsa512 dsa1024 dsa2048 idea
                    rc2 des rsa blowfish' -- "$cur"))
            else
                _filedir
            fi
        fi
    fi
} &&
    complete -F _openssl -o default openssl

# ex: filetype=sh
